There are a number of steps you can take to secure credit card data in the Order Manager including configuring security and credit card system parameters as well as deleting account numbers from files transmitted to Stone Edge Technologies (SETI) Tech Support. Helpful guidelines are also available from Visa as part of the Cardholder Information Security Program.
Security system parameters
SecureAccountNumbers
Default = False
Recommendation: Set to True
If True, the Order Manager will encrypt account numbers in 2 places, order records and transaction records. (Transaction records are created when a card is charged.) All account numbers are encrypted and the encryption cannot be reversed; clicking False will not decrypt the account numbers. Account numbers are not blocked from view in the user interface; only in the table. (See HideAccountNumbers below.)
If an unauthorized person gains access to your data file, they will not be able to do anything with the account numbers without the front end of the Order Manager.
DeleteDownloadTextFiles
Default = False
Recommendation: Set to True
If True, the Order Manager deletes text files containing new order records that are created upon successful import of new orders. Normally, the program moves the text files to the Data Archives directory where account numbers are not encrypted.
*This measure is highly recommended if the merchant wishes to get Visa-certified. See CISP compliance validation on Visa's web site for more information.
AllowDeleteCreditCardInfo
Default = False
Recommendation: Set to True
If True, the program adds a button on the Maintenance tab of the Maintenance Menu called Delete Old Credit Card Info. If clicked, the user is prompted to select a date (it cannot be less than 30 days from the current date). Credit card data in records where the order or transaction date is older than the date the user specifies is deleted. Note: Once credit card data is deleted, it cannot be restored without a backup copy of the data file.
Credit Cards system parameters
CCLoadPartial
Default = False; If set to TRUE, SecureAccount Numbers must be set to FALSE
Recommendation: Set to False unless you capture credit card payments on your website and you do not need to process credits or other transactions in the Order Manager.
If True, the program only stores the first four digits and the last four digits of card numbers even if the program receives the entire credit card number. Additional transactions cannot be run therefore the vendor may not be able to perform credits to customers’ cards depending on the shopping cart. Also, the Order Manager may not be able to determine the card type if the entire card number is not present. To get around this, run the credit card capture at the web site and log the payment as received in the Order Manager.
Default = False
Recommendation: Set to True
If True, account numbers are blocked from view in the user interface; only the last 4 digits of the account number are visible.
If SETI tech support asks for a text file for troubleshooting purposes, use the Order Manager’s zip utility. Ask all users to exit the Order Manager. Go to the Main Menu and press Ctrl^Shift^Z. The program copies the data file into a new file in which all credit card numbers are encrypted (all numbers are changed to zeros "0"). The file is zipped and is ready to be transmitted via email, FTP’d, etc.
If SETI tech support asks for a text file from the Data Archives, open the file in Notepad or Wordpad and remove all account numbers from the file before transmitting to SETI.
If SETI tech support asks for a copy of an XML file (to analyze order import), open the file in Notepad or Wordpad. Delete credit card numbers denoted by the "<number>" tag before transmitting to SETI.
The following guidelines are taken from Visa’s Cardholder Information Security Program:
Build and maintain a secure network using firewalls and anti-virus software to prevent hackers or other unauthorized users from accessing cardholder data via the company’s web site or internal network. Scan all computers for viruses and spyware regularly.
Keep a record of who accesses cardholder information. Restrict access on a need to know basis. Assign unique user id’s. Restrict physical access to cardholder information, i.e. card numbers are not visible and only certain people can view complete card numbers. (This can be accomplished in the User Security system.)
Implement secure communications when transmitting cardholder information between the application and the company’s web site and between the application and the payment gateway. (The Order Manager uses 128-bit encryption available through the Internet Explorer software to communicate with merchants’ web sites and payment gateways.)
Keep secure back-up copies and data archives.
Implement regular testing of security measures. Write and put security policies in place.
Modified 9/10/10